CVE-2019-15552

Name of the Vulnerable Software and Affected Versions libflate versions prior to 0.1.25

Description The issue is related to a use-after-free vulnerability in the MultiDecoder::read() function, which can lead to arbitrary code execution. This occurs when the execution of MultiDecoder::read() is interrupted by a panic in a caller-supplied Read implementation, causing drop() to be called on uninitialized memory of a generic type implementing Read. The vulnerability allows an attacker to potentially gain arbitrary code execution.

Recommendations For versions prior to 0.1.25, update to version 0.1.25 or later to resolve the issue. As a temporary workaround, consider aborting immediately instead of unwinding the stack in case of a panic within MultiDecoder::read().